Using secure application roles

Secure application roles can be used to grant roles selectively based on the specific needs of the application users. The main advantage is that secure application roles do not require hardcoded passwords in the application code, and can be enabled in the background using a stored procedure. In this way, you can develop some strict rules to allow users to receive certain privileges only while the application is in use. Also in this recipe we will create two users vw_america and vw_europe that will also be used in the further recipes.

Getting ready

All the steps will be performed on the HACKDB database.

How to do it...

The application role will be enabled by using the default context sys_context. A detailed coverage on contexts can be found in Chapter 5, Beyond Privileges: Oracle Virtual Private Database.

  1. Connect as the user system. Create two users vw_america and vw_europe and grant create session privilege to each of them as follows:
    SQL> create user vw_america identified by vw_america;
User created.
SQL> create user vw_europe identified by vw_europe;
User created.
SQL> grant connect to vw_america,vw_europe;
Grant succeeded.
SQL> 
Grant succeeded.
  2. Connect as the user system and create the secure role s_app_role, as follows:
    SQL> create role s_app_role identified using s_app_role_proc;

Role created.
  3. Connect as the user HR and use grant select on emp_details_view to s_app_role, as follows:
    SQL> conn HR
Password: 
Connected.

SQL> grant select on emp_details_view to s_app_role;

Grant succeeded.

SQL>
  4. Connect as the user system and create s_app_role_proc, which will enable s_app_role based on the values returned by sys_context, as follows:
    SQL> conn system
Enter password:
Connected.

  1  create or replace procedure  s_app_role_proc
  2  authid current_user as
  3  begin
  4  if (sys_context('userenv','session_user')='vm_america' or sys_context('userenv','session_user')='vm_europe')
  5  then
  6  dbms_session.set_role('s_app_role'),
  7  end if;
  8* end;
SQL> /

Procedure created.
  5. Apply grant execute on the procedure s_app_role_proc to vw_america and vw_europe, as follows:
    SQL> grant execute on s_app_role_proc to vw_america,vw_europe;

Grant succeeded.
  6. Grant the secure application role s_app_role to the users vw_america and vw_europe, as follows:
    SQL> grant s_app_role to vw_america,vw_europe;

Grant succeeded.

SQL>
  7. Connect as the user vw_america and execute the s_app_role_proc procedure to enable the secure application role, as follows:
    SQL> conn vw_america
Enter password:
Connected.
SQL> exec security_adm.s_app_role_proc;

PL/SQL procedure successfully completed.
  8. In this moment, vw_america has s_app_role enabled and should be able to select from hr.emp_details_view:
    SQL> select count(*) from hr.emp_details_view
  2  ;

  COUNT(*)
----------
       106

SQL>
  9. Get the current enabled roles within the current session as follows:
    SQL> select role from session_roles;

ROLE
------------------------------
S_APP_ROLE

How it works...

Secure application roles are enabled only when the context returns the appropriate value. It is a very good method to use for privilege segregation.

There's more...

Secure application roles can be used to implement security together with technologies, such as Oracle Vault. See Chapter 7, Beyond Privileges: Oracle Database Vault.

See also

  • The Using session-based application contexts recipe in Chapter 5, Beyond Privileges: Oracle Virtual Private Database
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.222.185